General

What is a noncriminal justice agency or NCJA?
A Noncriminal justice agency is an agency that conducts criminal history record checks on applicants for licensing or employment purposes. There are two types of NCJAs; one that is statutorily authorized to conduct state and national fingerprint-based background checks under Public Law 92-544 and there are NCJAs qualified under the Volunteer and Employee Criminal History System (VECHS) to conduct state and national fingerprint-based background checks because they serve a vulnerable population; children, the disabled, or the elderly as defined in the National Child Protection Act (NCPA) and Volunteers for Children Act (VCA).

What is criminal justice information (CJI)?
Criminal justice information or CJI is any information obtained from a national criminal justice data system.However, in the scope of noncriminal justice use, it is easier to define CJI as criminal history information and data received from a state and/or national fingerprint based record check (in Florida, referred to as Level2) for hiring/licensure/volunteer screening purposes.The terms CJI and criminal history information are relatively interchangeable. Back to Top

What is the National Crime Prevention and Privacy Compact Council?
Essentially, the Compact Council governs the national access to CJI for the NCJA community. On October 9, 1998, President Clinton signed into law the National Crime Prevention and Privacy Compact (Compact) Act of 1998, establishing an infrastructure by which states can exchange criminal records for noncriminal justice purposes according to the laws of the requesting state and provide reciprocity among the states to share records.

The Compact Council, as a national independent authority, works in partnership with criminal history record custodians, end users, and policy makers to regulate and facilitate the sharing the complete, accurate, and timely criminal history record information to noncriminal justice users in order to enhance public safety, welfare, and security of society while recognizing the importance of individual privacy rights. For more information please visit the FBI's National Crime Prevention and Privacy Compact Council's website at the following web address www.fbi.gov/services/cjis/compact-councilBack to Top

Who is the Compact Officer for Florida?
FDLE CJIS Director Charles Schaeffer is the Compact Officer for Florida. Back to Top

Who is the CJIS systems Agency (CSA)/State Identification Bureau (SIB)?
FDLE is the CSA and SIB for Florida. Back to Top

What is outsourcing?
Outsourcing is the process of having another entity perform a given service/function on behalf of the authorized receipt to include storage of CJI, destruction of CJI, or IT support where access to CJI may be incidental but necessary. Florida requires agencies to adhere to the Security and Management Control Outsourcing Standard for Non-Channelers established by the Compact Council. To review this standard please see our Resources page. Back to Top

Does Florida allow outsourcing?
Yes, but FDLE shall be notified and the request granted by the State Compact Officer prior to the work being performed where access (Physical/Logical) to CJI will be needed. Back to Top

Information Security

What is the CJIS Security Policy (CSP)?
The Federal Bureau of Investigation (FBI) Criminal Justice Information Services (CJIS) Security Policy is the baseline standards developed and approved by the FBI CJIS Advisory Policy Board (APB) for securing criminal justice information (CJI). Back to Top

How can we get a copy of the CSP?
A copy of the CSP can be found HERE on our website. Back to Top

What parts of our agency have to comply with the CSP?
Typically, only those personnel and systems used to process or store CJI are required to comply with the CJIS Security Policy (CSP). However, how systems are integrated within the agency may change the scope of compliance. Back to Top

Is our agency required to have our own security policy?
There are a number of policies and procedures that your agency will be required to specifically document, including, but not limited to media disposal procedures and incident response procedures. Depending on your agency’s retention of CJI, you may have to document authentication strategy, patch management policy and network configuration. Back to Top

What is incidence response?
Incidence response is the action taken by your agency as the result of an actual or perceived computer/IT incident/attack that involves CJI. Back to Top

What are we supposed to do for incidence response?
First, you must have a plan. Each entity’s plan will be different based on their job/function and, potentially the computer, server or network that is used to process or store CJI. Most large or “technical” agencies will probably already have an incident response plan. Back to Top

What do we need to include in our incident response plan?
The CJIS Security Policy requires that your plan include preparation for, detection and analysis, containment, eradication, and recovery of and from an incident. You will also need to notify the FDLE CJIS ISO of the incident by sending an email to CJISISO@flcjn.net. Back to Top

What is media protection?
You are required to follow certain standards (section 5.8 of the CJIS Security Policy) for protecting the media on which criminal justice information is recorded (electronic or hard copy/paper). These standards cover storage, transport, transmission and disposal/sanitization of CJI or media storing CJI. Back to Top

Compliance

What does our agency need to do to comply with Section 5.1.1.6 Agency User Agreements?
The CJIS Security Policy and FDLE requires an agency/entity to sign a user agreement prior to processing fingerprints for that agency. The agreement required by FDLE meets this policy. Back to Top

We don’t have our “own” IT staff; the city/county provides IT support of our agency. Is there anything we need to do?
You must have an agreement that the supporting entity will abide by the specified rules of your agency's user agreement with FDLE. Back to Top

We don’t have our “own” IT staff; we contract to a private company to provide IT support for our agency. Is there anything we need to do?
You must incorporate into the contract for services provided the requirements of your agency's user agreement with FDLE. Back to Top

What is access?
Access is the ability to “touch” hardware and/or “see” information both in a physical and/or electronic sense.Someone who can pull the plug out of the back of a computer, or someone who can hold a printout in their hands, has “physical” access. Someone who can open an electronic file and read its contents, or can log into the IT component to perform maintenance, has “logical” access. Back to Top

Can we share CJI or criminal history information?
CJI and/or criminal history information can only be shared or “disseminated” as allowed by your agency’s user agreement with FDLE, state statutes or federal guidelines. Back to Top

How do I know if another agency or person is authorized to receive criminal history information or CJI?
Any questions regarding authorized recipients shall be directed to the FDLE CJIS Audit unit at fciccompliance@fdle.state.fl.us. When you contact the Audit and Compliance Unit please include the authority by which you feel the dissemination/release of criminal history information is authorized. Back to Top

What is secondary dissemination?
Secondary dissemination is the process of sharing or “disseminating” criminal justice information (CJI) with another authorized agency/entity. The CJIS Security Policy requires all secondary disseminations to be documented in a “secondary dissemination log”. Back to Top

Is there anything we must do before we surplus equipment that was used to process or store criminal history information?
Any computer or server that has stored criminal history information must be sanitized before being “released” for surplus or leaving the control of your agency. The suggested method of sanitization is destruction. If you release the hard drive, it must have been completely over-written at least three times. This process is for any electronic media that has stored CJI including “biz hubs” and flash drives. Back to Top

What are the audit records identified in Appendix J, Paragraph 1. g.?
Systems that are used to process and store criminal justice information are required to “log” certain events. The application that is processing or storing typically has the ability to log these events for future review. These logs must be maintained for at least 365 days. Back to Top

What do we do with old servers that stored CJI; are there any steps we have to take.
Computer or server hard drives that have stored CJI must be properly disposed, and the process must be documented. There are two options:

the hard drive (or other electronic media) must be wiped at least three times, or

the hard drive/media must be physically destroyed.

Specialized wiping software that overwrites the entire drive with “1” and “0”. Most software available typically overwrites the drive seven times.

Destruction can be accomplished by drilling multiple holes in the drive. There are shredders that will destroy a hard drive. Whichever process your agency chooses, it must be defined in an agency policy. Back to Top

What is a controlled area?
A controlled area is where criminal justice information is accessed and “processed”. Processing includes reviewing for decision making purposes.

A controlled area is defined in section 5.9.2 of the CJIS Security Policy. Within a “controlled area” your agency must:

Limit access to the area during CJI processing

Lock the area/room/storage container when unattended

Position computer screens and documents to prevent unauthorized individuals from viewing

Follow the encryption requirements for electronic storage (data at rest)

Use an advanced authentication process to access the electronic data if the data is located on a server/ type or centralized computer.Back to Top

Training

What is a Local Agency Security Officer (LASO)?
Each agency required to comply with the CSP must have a LASO. The LASO’s function is to ensure compliance with the CSP and acts as the security point of contact with the CJIS Systems Agency (CSA). FDLE is the CSA for Florida. Back to Top

Is the LASO supposed to be a specific person or can it be assigned to a position?
It can be a specific person or a position. Whoever fulfills the duties as LASO needs to be aware of the responsibilities, including the interaction with FDLE. FDLE needs to know who this person is as they are the primary contact compliance and security related issues. Therefore, if your agency specifies a position to be the LASO, each time a different person fills that position, FDLE must be notified who the new person is and contact information for that person. Back to Top

What are the LASOs duties?
According to the CSP, each LASO shall:

Identify who has access to hardware, software, and firmware used to process/store CJI and ensure no unauthorized individuals or processes have access to the same.

Identify and document if and how the equipment is connected to the state system.

Ensure the approved and appropriate security measures are in place and working as expected.

Support policy compliance and ensure CSA ISO is promptly informed of security incidents. Back to Top

Backgrounds are not required for those employees of noncriminal justice agencies accessing CJI or maintaining systems used to process or store CJI because there is no specific enabling legislation that meets this requirement. Therefore, agencies are encouraged to conduct criminal records screenings to the extent possible on anyone having access to CJI. Back to Top

Who can be the LASO?
The agency may designate any member to perform LASO duties. It should be someone familiar with the processes associated with the agency’s use of CJI. Back to Top

Who needs security awareness training?
Anyone who has “access” to CJI; including IT support personnel who work on the machines that process or store the information. Back to Top

How do we get security awareness training?
FDLE provides security awareness training through an application called CJIS Online. It is a free application that is accessed via the Internet and it meets all of the requirements of the CSP. You will be notified how to access it after FDLE receives information on the person assigned as your LASO. Back to Top

How does my agency get set up in CJIS Online?
FDLE will work with NCJAs to set-up access within CJIS Online. If you have further questions, contact FDLE (phone/email TBD), they will walk you through the process. Back to Top